(add-to-load-path (dirname (current-filename)))

(use-modules (gnu)
             (gnu system)
             (guix modules)
             ;;(endlessh-service)
             (public-keys))
(use-service-modules certbot dbus desktop docker networking
                     ssh sysctl web)
(use-package-modules admin
                     certs
                     package-management
                     ssh
                     tls)

(define %nginx-deploy-hook
  (program-file
   "nginx-deploy-hook"
   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
       (kill pid SIGHUP))))

(define %my-base-services
  (modify-services %base-services
    (guix-service-type config =>
                       (guix-configuration (inherit config)
                                           (discover? #t)
                                           (substitute-urls
                                            (append (list
                                                     "https://bordeaux-us-east-mirror.cbaines.net/"
                                                     "https://guix.tobias.gr")
                                                    %default-substitute-urls))
                                           (authorized-keys
                                            (append (list
                                                     ;; setting up guix deploy from dobby.
                                                     (local-file "./dobby-guix-signing-key.pub")
                                                     (plain-file
                                                      "guix.tobias.gr"
                                                      "(public-key
 (ecc
  (curve Ed25519)
  (q #E21911E159DB6D031A763509A255B054360A4A96F5668CBBAC48052E67D274D3#)
  )
 )
")
                                                     (plain-file
                                                      "bordeaux.guix.gnu.org.signing.key"
                                                      "
(public-key
 (ecc
  (curve Ed25519)
  (q #7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#)
  )
 )")
                                                     )))
                                           (extra-options '("--max-jobs=1"))))

    ;; security stuff.
    (sysctl-service-type config =>
                         (sysctl-configuration
                          (settings
                           (append
                            '(
                              ;;disable ipv6
                              ("net.ipv6.conf.all.disable_ipv6"        . "1")
                              ("net.ipv6.conf.all.disable_policy"      . "1")
                              ("net.ipv6.conf.default.disable_ipv6"    . "1")
                              ("net.ipv6.conf.default.disable_policy"  . "1")
                              ("net.ipv6.conf.enp0s10.disable_ipv6"    . "1")
                              ("net.ipv6.conf.enp0s10.disable_policy"  . "1")
                              ("net.ipv6.conf.lo.disable_ipv6"         . "1")
                              ("net.ipv6.conf.lo.disable_policy"       . "1")
                              ;; disable ebpf in kernel virtual machine for unprivledged users
                              ("sysctl kernel.unprivileged_bpf_disabled" . "1")
                              ("spec_store_bypass_disable" . "on")
                              ("spectre_v2" . "on")
                              ("lld_flush" . "on")
                              ;; need to enable apparmor for this...
                              ;;("lockdown" . "confidentiality")
                              ("init_on_alloc" . "1")
                              ("init_on_free"  . "1")
                              ("page_alloc.shuffle" . "1")
                              ;;("slab_nomerge")
                              ("vsyscall"      . "1")
                              ;; ("slub_debug" . "F")
                              ("randomize_kstack_offset" . "1")
                              ;; disable re-leading a running kernel
                              ("kernel.kexec_load_disabled" . "1")
                              ;; restrict kernel pointers
                              ("kernel.kptr_restrict" . "2")
                              ;; unprivledegd users cannot get perf events
                              ("kernel.perf_event_paranoid" . "3")
                              ;; only privledged users can use bpf
                              ("net.core.bpf_jit_harden" . "2")
                              ("kernel.unprivleged_bpf" . "1")
                              ;; prevest some proofing attacks
                              ("net.ipv4.conf.all.rp_filter" . "1")
                              ("net.ipv4.conf.default.rp_filter" . "1")
                              ;; disable icmp redirects and
                              ;; RFC1620 shared media redirects
                              ("net.ipv4.conf.all.accept_redirects" . "0")
                              ("net.ipv4.conf.all.secure_redirects" . "0")
                              ("net.ipv4.conf.all.send_redirects" . "0")
                              ("net.ipv4.conf.all.shared_media" . "0")
                              ("net.ipv4.conf.default.accept_redirects" . "0")
                              ("net.ipv4.conf.default.secure_redirects" . "0")
                              ("net.ipv4.conf.default.send_redirects" . "0")
                              ("net.ipv4.conf.default.shared_media" . "0")
                              ("net.ipv6.conf.all.accept_redirects" . "0")
                              ("net.ipv6.conf.default.accept_redirects" . "0")
                              ;; disallow source-routed packets
                              ("net.ipv4.conf.all.accept_source_route" . "0")
                              ("net.ipv4.conf.default.accept_source_route" . "0")
                              ("net.ipv6.conf.all.accept_source_route" . "0")
                              ("net.ipv6.conf.default.accept_source_route" . "0")
                              ;; disable pings sent to a broadcast address
                              ("net.ipv4.icmp_echo_ignore_broadcasts" . "1")
                              ;; disable bogus icmp error responses
                              ("net.ipv4.icmp_ignore_bogus_error_responses" . "1")

                              ;; protect against time-wait assassination hazards in tcp
                              ("net.ipv4.tcp_rfc1337" . "1")

                              ("net.ipv4.tcp_sack" . "0")
                              ("net.ipv4.tcp_dsack" . "0")

                              ("net.ipv4.tcp_timestamps" . "0")
                              ("vm.mmap_rnd_bits" . "32")
                              ("vm.mmap_rnd_compat_bits" . "16")
                              ("net.ipv4.icmp_echo_ignore_all" . "1")
                              )
                            %default-sysctl-settings))))))

(define %system
  (operating-system
    (host-name "aquinas")
    (timezone "America/Chicago")
    (locale "en_US.UTF-8")
    ;; This goofy code will generate the grub.cfg
    ;; without installing the grub bootloader on disk.
    (bootloader (bootloader-configuration
                 (bootloader
                  (bootloader
                   (inherit grub-bootloader)
                   (installer #~(const #true))))))
    (file-systems (cons (file-system
                          (device "/dev/sda")
                          (mount-point "/")
                          (type "ext4"))
                        %base-file-systems))

    (swap-devices (list (swap-space
                         (target "/dev/sdb"))))

    (initrd-modules (cons "virtio_scsi" ; Needed to find the disk
                          %base-initrd-modules))

    (users (cons (user-account
                  (name "joshua")
                  (group "users")
                  ;; Adding the account to the "wheel" group
                  ;; makes it a sudoer.
                  (supplementary-groups '("wheel"))
                  (home-directory "/home/joshua"))
                 %base-user-accounts))

    ;; let joshua execute a privledged command via "sudo joshua" w/o
    ;; prompting for a password.
    (sudoers-file
     (plain-file "sudoers"
                 (string-append (plain-file-content %sudoers-specification)
                                (format #f "~a ALL = NOPASSWD: ALL~%"
                                        "joshua"))))

    (packages (cons* nss-certs          ;for HTTPS access
                     openssh-sans-x
                     %base-packages))

    (services (cons*
               (service certbot-service-type
                        (certbot-configuration
                         (email "mysubscriptions@member.fsf.org")
                         (webroot "/srv/www/")
                         (certificates
                          (list
                           (certificate-configuration
                            (name "the-nx.com")
                            (domains '("the-nx.com" "www.the-nx.com"))
                            (deploy-hook %nginx-deploy-hook))))))

               (dbus-service)
               (service dhcp-client-service-type)
               (service docker-service-type)
               (elogind-service)
               (service openssh-service-type
                        (openssh-configuration
                         (openssh openssh-sans-x)
                         (password-authentication? #false)
                         ;;(port-number 63355)
                         (authorized-keys
                          `(("joshua" ,(plain-file "id_rsa.pub" %joshua-ssh-key))))
                         ))

               ;; TODO my firewall is NOT working!
               ;;(service nftables-service-type)

               (service nginx-service-type
                        (nginx-configuration
                         (server-blocks
                          (list
                           (nginx-server-configuration
                            (server-name '("the-nx.com"))
                            (listen (list ;;"80"
                                     "443 ssl http2"
                                     ;;"[::]:80"
                                     ;;"[::80]:443 ssl http2"
                                     ))
                            (root "/srv/www/html/the-nx.com")
                            (ssl-certificate "/etc/letsencrypt/live/the-nx.com/fullchain.pem")
                            (ssl-certificate-key "/etc/letsencrypt/live/the-nx.com/privkey.pem")
                            (locations
                             (list
                              (nginx-location-configuration ;; for certbot
                               (uri "/.well-known")
                               (body (list "root /srv/www;")))
                              (nginx-location-configuration
                               (uri "/")
                               (body
                                (list
                                 ;; prevent nginx server detection.
                                 "server_tokens off;\n"

                                 "proxy_pass http://127.0.0.1:9000;\n"
                                 "proxy_set_header X-Real-IP $remote_addr;\n"
                                 "proxy_set_header Host $host;\n"
                                 "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n"
                                 "client_max_body_size 0;\n"
                                 "# Websocket\n"
                                 "proxy_http_version 1.1;\n"
                                 "proxy_set_header Upgrade $http_upgrade;\n"))))))))))
               %my-base-services))))

(list (machine
       (operating-system %system)
       (environment managed-host-environment-type)
       (configuration (machine-ssh-configuration
                       (host-name "198.58.111.31")
                       (system "x86_64-linux")
                       (user "joshua")
                       (identity "~/.ssh/id_rsa")
                       (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJNUfLuM02Mrxj8zQcBcFx7RwIcLTrtu9enCIEP/79tr root@(none)")
                       (port 22)))))
